##// END OF EJS Templates
upstream » mercurial-mirror
RSS

Clone from https://www.mercurial-scm.org/repo/hg-all

interfaces: convert `repository.irevisiondelta` from zope `Attribute` attrs...
interfaces: convert `repository.irevisiondelta` from zope `Attribute` attrs This is the same transformation as b455dfddfed0 did for dirstate.
Matt Harbison - - Load All Authors

File last commit:

r53185:085cc409 default
r53366:2aada52e default
Show More
test-https.t
590 lines | 28.3 KiB | text/troff | Tads3Lexer
/ tests / test-https.t
History | Source | Raw |Copy content |Copy permalink
Matt Mackall
tests: replace exit 80 with #require
 r22046 #require serve ssl
Mads Kiilerich
serve: fix https mode and add test...
 r12740
Matt Mackall
tests: replace exit 80 with #require
 r22046 Proper https client requires the built-in ssl from Python 2.6.
Mads Kiilerich
serve: fix https mode and add test...
 r12740
Yuya Nishihara
test-https: turn off system OpenSSL configuration...
 r42140 Disable the system configuration which may set stricter TLS requirements.
This test expects that legacy TLS versions are supported.
$ OPENSSL_CONF=
$ export OPENSSL_CONF
Yuya Nishihara
tests: extract SSL certificates from test-https.t...
 r29331 Make server certificates:
Mads Kiilerich
test-https: test web.cacerts functionality
 r12741
Yuya Nishihara
tests: extract SSL certificates from test-https.t...
 r29331 $ CERTSDIR="$TESTDIR/sslcerts"
$ cat "$CERTSDIR/priv.pem" "$CERTSDIR/pub.pem" >> server.pem
$ PRIV=`pwd`/server.pem
$ cat "$CERTSDIR/priv.pem" "$CERTSDIR/pub-not-yet.pem" > server-not-yet.pem
$ cat "$CERTSDIR/priv.pem" "$CERTSDIR/pub-expired.pem" > server-expired.pem
Yuya Nishihara
test-https: test basic functions of client certificate authentication...
 r25413
Mads Kiilerich
serve: fix https mode and add test...
 r12740 $ hg init test
$ cd test
$ echo foo>foo
$ mkdir foo.d foo.d/bAr.hg.d foo.d/baR.d.hg
$ echo foo>foo.d/foo
$ echo bar>foo.d/bAr.hg.d/BaR
$ echo bar>foo.d/baR.d.hg/bAR
$ hg commit -A -m 1
adding foo
adding foo.d/bAr.hg.d/BaR
adding foo.d/baR.d.hg/bAR
adding foo.d/foo
$ hg serve -p $HGPORT -d --pid-file=../hg0.pid --certificate=$PRIV
$ cat ../hg0.pid >> $DAEMON_PIDS
timeless
cacert: improve error report when web.cacert file does not exist
 r13544 cacert not found
$ hg in --config web.cacerts=no-such.pem https://localhost:$HGPORT/
abort: could not find web.cacerts: no-such.pem
[255]
Mads Kiilerich
serve: fix https mode and add test...
 r12740 Test server address cannot be reused
Adrian Buehlmann
test-http and test-https: partially adapt for Windows
 r17023 $ hg serve -p $HGPORT --certificate=$PRIV 2>&1
Matt Harbison
tests: add a substitution for EADDRINUSE/WSAEADDRINUSE messages...
 r35233 abort: cannot start server at 'localhost:$HGPORT': $EADDRINUSE$
Adrian Buehlmann
test-http and test-https: partially adapt for Windows
 r17023 [255]
Matt Harbison
tests: add a substitution for EADDRINUSE/WSAEADDRINUSE messages...
 r35233
Mads Kiilerich
serve: fix https mode and add test...
 r12740 $ cd ..
Gregory Szorc
sslutil: add devel.disableloaddefaultcerts to disable CA loading...
 r29288 Our test cert is not signed by a trusted CA. It should fail to verify if
we are able to load CA certs.
Mads Kiilerich
ssl: on OS X, use a dummy cert to trick Python/OpenSSL to use system CA certs...
 r22575
Manuel Jacob
tests: remove "sslcontext" check...
 r45417 #if no-defaultcacertsloaded
Mads Kiilerich
ssl: on OS X, use a dummy cert to trick Python/OpenSSL to use system CA certs...
 r22575 $ hg clone https://localhost:$HGPORT/ copy-pull
Gregory Szorc
sslutil: emit warning when no CA certificates loaded...
 r29449 (an attempt was made to load CA certificates but none were loaded; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error)
Augie Fackler
test-https: glob error messages more so we pass on Python 2.7.9...
 r23823 abort: error: *certificate verify failed* (glob)
Martin von Zweigbergk
tests: update test-https.t's #no-defaultcacertsloaded block with new exit code...
 r46514 [100]
Gregory Szorc
tests: better testing of loaded certificates...
 r29481 #endif
#if defaultcacertsloaded
$ hg clone https://localhost:$HGPORT/ copy-pull
Matt Harbison
sslutil: inform the user about how to fix an incomplete certificate chain...
 r33494 (the full certificate chain may not be available locally; see "hg help debugssl") (windows !)
Gregory Szorc
tests: better testing of loaded certificates...
 r29481 abort: error: *certificate verify failed* (glob)
Martin von Zweigbergk
errors: set detailed exit code to 100 for some remote errors...
 r46443 [100]
Gregory Szorc
tests: better testing of loaded certificates...
 r29481 #endif
Matt Harbison
tests: add globs for Windows
 r31766 Specifying a per-host certificate file that doesn't exist will abort. The full
C:/path/to/msysroot will print on Windows.
Gregory Szorc
sslutil: per-host config option to define certificates...
 r29334
$ hg --config hostsecurity.localhost:verifycertsfile=/does/not/exist clone https://localhost:$HGPORT/
Matt Harbison
tests: add globs for Windows
 r31766 abort: path specified by hostsecurity.localhost:verifycertsfile does not exist: */does/not/exist (glob)
Gregory Szorc
sslutil: per-host config option to define certificates...
 r29334 [255]
A malformed per-host certificate file will raise an error
$ echo baddata > badca.pem
Gregory Szorc
sslutil: display a better error message when CA file loading fails...
 r29446 $ hg --config hostsecurity.localhost:verifycertsfile=badca.pem clone https://localhost:$HGPORT/
abort: error loading CA file badca.pem: * (glob)
(file is empty or malformed?)
[255]
Gregory Szorc
sslutil: per-host config option to define certificates...
 r29334
A per-host certificate mismatching the server will fail verification
Gregory Szorc
sslutil: emit warning when no CA certificates loaded...
 r29449 (modern ssl is able to discern whether the loaded cert is a CA cert)
$ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/client-cert.pem" clone https://localhost:$HGPORT/
(an attempt was made to load CA certificates but none were loaded; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error)
Matt Harbison
sslutil: inform the user about how to fix an incomplete certificate chain...
 r33494 (the full certificate chain may not be available locally; see "hg help debugssl") (windows !)
Gregory Szorc
sslutil: emit warning when no CA certificates loaded...
 r29449 abort: error: *certificate verify failed* (glob)
Martin von Zweigbergk
errors: set detailed exit code to 100 for some remote errors...
 r46443 [100]
Gregory Szorc
sslutil: per-host config option to define certificates...
 r29334
A per-host certificate matching the server's cert will be accepted
$ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/pub.pem" clone -U https://localhost:$HGPORT/ perhostgood1
requesting all changes
adding changesets
adding manifests
adding file changes
added 1 changesets with 4 changes to 4 files
Denis Laxalde
transaction-summary: show the range of new revisions upon pull/unbundle (BC)...
 r34662 new changesets 8b6053c928fe
Gregory Szorc
sslutil: per-host config option to define certificates...
 r29334
A per-host certificate with multiple certs and one matching will be accepted
$ cat "$CERTSDIR/client-cert.pem" "$CERTSDIR/pub.pem" > perhost.pem
$ hg --config hostsecurity.localhost:verifycertsfile=perhost.pem clone -U https://localhost:$HGPORT/ perhostgood2
requesting all changes
adding changesets
adding manifests
adding file changes
added 1 changesets with 4 changes to 4 files
Denis Laxalde
transaction-summary: show the range of new revisions upon pull/unbundle (BC)...
 r34662 new changesets 8b6053c928fe
Gregory Szorc
sslutil: per-host config option to define certificates...
 r29334
Defining both per-host certificate and a fingerprint will print a warning
Gregory Szorc
tests: regenerate x509 test certificates...
 r29526 $ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/pub.pem" --config hostsecurity.localhost:fingerprints=sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03 clone -U https://localhost:$HGPORT/ caandfingerwarning
Gregory Szorc
sslutil: per-host config option to define certificates...
 r29334 (hostsecurity.localhost:verifycertsfile ignored when host fingerprints defined; using host fingerprints for verification)
requesting all changes
adding changesets
adding manifests
adding file changes
added 1 changesets with 4 changes to 4 files
Denis Laxalde
transaction-summary: show the range of new revisions upon pull/unbundle (BC)...
 r34662 new changesets 8b6053c928fe
Gregory Szorc
sslutil: per-host config option to define certificates...
 r29334
Gregory Szorc
sslutil: add devel.disableloaddefaultcerts to disable CA loading...
 r29288 $ DISABLECACERTS="--config devel.disableloaddefaultcerts=true"
Mads Kiilerich
ssl: on OS X, use a dummy cert to trick Python/OpenSSL to use system CA certs...
 r22575
Gregory Szorc
sslutil: abort when unable to verify peer connection (BC)...
 r29411 Inability to verify peer certificate will result in abort
Mads Kiilerich
serve: fix https mode and add test...
 r12740
Gregory Szorc
sslutil: add devel.disableloaddefaultcerts to disable CA loading...
 r29288 $ hg clone https://localhost:$HGPORT/ copy-pull $DISABLECACERTS
Gregory Szorc
sslutil: abort when unable to verify peer connection (BC)...
 r29411 abort: unable to verify security of localhost (no loaded CA certificates); refusing to connect
Gregory Szorc
tests: regenerate x509 test certificates...
 r29526 (see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error or set hostsecurity.localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e to trust this server)
Martin von Zweigbergk
errors: introduce SecurityError and use it in a few places...
 r46527 [150]
Gregory Szorc
sslutil: abort when unable to verify peer connection (BC)...
 r29411
$ hg clone --insecure https://localhost:$HGPORT/ copy-pull
warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
Mads Kiilerich
serve: fix https mode and add test...
 r12740 requesting all changes
adding changesets
adding manifests
adding file changes
added 1 changesets with 4 changes to 4 files
Denis Laxalde
transaction-summary: show the range of new revisions upon pull/unbundle (BC)...
 r34662 new changesets 8b6053c928fe
Mads Kiilerich
serve: fix https mode and add test...
 r12740 updating to branch default
4 files updated, 0 files merged, 0 files removed, 0 files unresolved
Raphaël Gomès
tests: use the `--quiet` flag for verify when applicable...
 r50720 $ hg verify -R copy-pull -q
Mads Kiilerich
serve: fix https mode and add test...
 r12740 $ cd test
$ echo bar > bar
$ hg commit -A -d '1 0' -m 2
adding bar
$ cd ..
Mads Kiilerich
https: use web.cacerts configuration from local repo to validate remote repo
 r13192 pull without cacert
Mads Kiilerich
serve: fix https mode and add test...
 r12740
$ cd copy-pull
FUJIWARA Katsunori
tests: invoke printenv.py via sh -c for test portability...
 r30234 $ cat >> .hg/hgrc <<EOF
> [hooks]
Boris Feld
test: use `printenv.py --line` in `test-https.t`...
 r41790 > changegroup = sh -c "printenv.py --line changegroup"
FUJIWARA Katsunori
tests: invoke printenv.py via sh -c for test portability...
 r30234 > EOF
Gregory Szorc
sslutil: add devel.disableloaddefaultcerts to disable CA loading...
 r29288 $ hg pull $DISABLECACERTS
Thomas Arendsen Hein
pull: print "pulling from foo" before accessing the other repo...
 r24138 pulling from https://localhost:$HGPORT/
Gregory Szorc
sslutil: abort when unable to verify peer connection (BC)...
 r29411 abort: unable to verify security of localhost (no loaded CA certificates); refusing to connect
Gregory Szorc
tests: regenerate x509 test certificates...
 r29526 (see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error or set hostsecurity.localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e to trust this server)
Martin von Zweigbergk
errors: introduce SecurityError and use it in a few places...
 r46527 [150]
Gregory Szorc
sslutil: abort when unable to verify peer connection (BC)...
 r29411
$ hg pull --insecure
pulling from https://localhost:$HGPORT/
warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
Mads Kiilerich
serve: fix https mode and add test...
 r12740 searching for changes
adding changesets
adding manifests
adding file changes
added 1 changesets with 1 changes to 1 files
Denis Laxalde
transaction-summary: show the range of new revisions upon pull/unbundle (BC)...
 r34662 new changesets 5fed3813f7f5
Boris Feld
test: use `printenv.py --line` in `test-https.t`...
 r41790 changegroup hook: HG_HOOKNAME=changegroup
HG_HOOKTYPE=changegroup
HG_NODE=5fed3813f7f5e1824344fdc9cf8f63bb662c292d
HG_NODE_LAST=5fed3813f7f5e1824344fdc9cf8f63bb662c292d
HG_SOURCE=pull
HG_TXNID=TXN:$ID$
marmoute
transaction: include txnname in the hookargs dictionary...
 r42062 HG_TXNNAME=pull
https://localhost:$HGPORT/
Boris Feld
test: use `printenv.py --line` in `test-https.t`...
 r41790 HG_URL=https://localhost:$HGPORT/
Mads Kiilerich
serve: fix https mode and add test...
 r12740 (run 'hg update' to get a working copy)
$ cd ..
Mads Kiilerich
test-https: test web.cacerts functionality
 r12741
Mads Kiilerich
https: use web.cacerts configuration from local repo to validate remote repo
 r13192 cacert configured in local repo
Mads Kiilerich
test-https: test web.cacerts functionality
 r12741
Mads Kiilerich
https: use web.cacerts configuration from local repo to validate remote repo
 r13192 $ cp copy-pull/.hg/hgrc copy-pull/.hg/hgrc.bu
$ echo "[web]" >> copy-pull/.hg/hgrc
Yuya Nishihara
tests: extract SSL certificates from test-https.t...
 r29331 $ echo "cacerts=$CERTSDIR/pub.pem" >> copy-pull/.hg/hgrc
Augie Fackler
test-https: drop two spurious --traceback flags...
 r29842 $ hg -R copy-pull pull
Mads Kiilerich
test-https: test web.cacerts functionality
 r12741 pulling from https://localhost:$HGPORT/
searching for changes
no changes found
Mads Kiilerich
https: use web.cacerts configuration from local repo to validate remote repo
 r13192 $ mv copy-pull/.hg/hgrc.bu copy-pull/.hg/hgrc
Eduard-Cristian Stefan
url: expand path for web.cacerts
 r13231 cacert configured globally, also testing expansion of environment
variables in the filename
Mads Kiilerich
https: use web.cacerts configuration from local repo to validate remote repo
 r13192
$ echo "[web]" >> $HGRCPATH
Eduard-Cristian Stefan
url: expand path for web.cacerts
 r13231 $ echo 'cacerts=$P/pub.pem' >> $HGRCPATH
Yuya Nishihara
tests: extract SSL certificates from test-https.t...
 r29331 $ P="$CERTSDIR" hg -R copy-pull pull
Mads Kiilerich
https: use web.cacerts configuration from local repo to validate remote repo
 r13192 pulling from https://localhost:$HGPORT/
searching for changes
no changes found
Yuya Nishihara
tests: extract SSL certificates from test-https.t...
 r29331 $ P="$CERTSDIR" hg -R copy-pull pull --insecure
Thomas Arendsen Hein
pull: print "pulling from foo" before accessing the other repo...
 r24138 pulling from https://localhost:$HGPORT/
Gregory Szorc
sslutil: move and change warning when cert verification is disabled...
 r29289 warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
Yuya Nishihara
url: add --insecure option to bypass verification of ssl certificates...
 r13328 searching for changes
no changes found
Mads Kiilerich
https: use web.cacerts configuration from local repo to validate remote repo
 r13192
Gregory Szorc
tests: add test for empty CA certs file...
 r29445 empty cacert file
$ touch emptycafile
Gregory Szorc
sslutil: display a better error message when CA file loading fails...
 r29446
$ hg --config web.cacerts=emptycafile -R copy-pull pull
pulling from https://localhost:$HGPORT/
abort: error loading CA file emptycafile: * (glob)
(file is empty or malformed?)
[255]
Gregory Szorc
tests: add test for empty CA certs file...
 r29445
Mads Kiilerich
https: use web.cacerts configuration from local repo to validate remote repo
 r13192 cacert mismatch
Yuya Nishihara
tests: extract SSL certificates from test-https.t...
 r29331 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub.pem" \
Jun Wu
tests: use LOCALIP...
 r31008 > https://$LOCALIP:$HGPORT/
pulling from https://*:$HGPORT/ (glob)
Augie Fackler
tests: fix missing (glob) annotations in test-https.t
 r31813 abort: $LOCALIP certificate error: certificate is for localhost (glob)
Jun Wu
tests: use LOCALIP...
 r31008 (set hostsecurity.$LOCALIP:certfingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e config setting or use --insecure to connect insecurely)
Martin von Zweigbergk
errors: introduce SecurityError and use it in a few places...
 r46527 [150]
Yuya Nishihara
tests: extract SSL certificates from test-https.t...
 r29331 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub.pem" \
Jun Wu
tests: use LOCALIP...
 r31008 > https://$LOCALIP:$HGPORT/ --insecure
pulling from https://*:$HGPORT/ (glob)
Augie Fackler
tests: fix missing (glob) annotations in test-https.t
 r31813 warning: connection security to $LOCALIP is disabled per current settings; communication is susceptible to eavesdropping and tampering (glob)
Yuya Nishihara
url: add --insecure option to bypass verification of ssl certificates...
 r13328 searching for changes
no changes found
Yuya Nishihara
tests: extract SSL certificates from test-https.t...
 r29331 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-other.pem"
Thomas Arendsen Hein
pull: print "pulling from foo" before accessing the other repo...
 r24138 pulling from https://localhost:$HGPORT/
Matt Harbison
sslutil: inform the user about how to fix an incomplete certificate chain...
 r33494 (the full certificate chain may not be available locally; see "hg help debugssl") (windows !)
Augie Fackler
test-https: glob error messages more so we pass on Python 2.7.9...
 r23823 abort: error: *certificate verify failed* (glob)
Martin von Zweigbergk
errors: set detailed exit code to 100 for some remote errors...
 r46443 [100]
Yuya Nishihara
tests: extract SSL certificates from test-https.t...
 r29331 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-other.pem" \
> --insecure
Thomas Arendsen Hein
pull: print "pulling from foo" before accessing the other repo...
 r24138 pulling from https://localhost:$HGPORT/
Gregory Szorc
sslutil: move and change warning when cert verification is disabled...
 r29289 warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
Yuya Nishihara
url: add --insecure option to bypass verification of ssl certificates...
 r13328 searching for changes
no changes found
Mads Kiilerich
test-https: test web.cacerts functionality
 r12741
Test server cert which isn't valid yet
Jun Wu
tests: reorder hg serve commands...
 r28549 $ hg serve -R test -p $HGPORT1 -d --pid-file=hg1.pid --certificate=server-not-yet.pem
Mads Kiilerich
test-https: test web.cacerts functionality
 r12741 $ cat hg1.pid >> $DAEMON_PIDS
Yuya Nishihara
tests: extract SSL certificates from test-https.t...
 r29331 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-not-yet.pem" \
> https://localhost:$HGPORT1/
Thomas Arendsen Hein
pull: print "pulling from foo" before accessing the other repo...
 r24138 pulling from https://localhost:$HGPORT1/
Matt Harbison
sslutil: inform the user about how to fix an incomplete certificate chain...
 r33494 (the full certificate chain may not be available locally; see "hg help debugssl") (windows !)
Augie Fackler
test-https: glob error messages more so we pass on Python 2.7.9...
 r23823 abort: error: *certificate verify failed* (glob)
Martin von Zweigbergk
errors: set detailed exit code to 100 for some remote errors...
 r46443 [100]
Mads Kiilerich
test-https: test web.cacerts functionality
 r12741
Test server cert which no longer is valid
Jun Wu
tests: reorder hg serve commands...
 r28549 $ hg serve -R test -p $HGPORT2 -d --pid-file=hg2.pid --certificate=server-expired.pem
Mads Kiilerich
test-https: test web.cacerts functionality
 r12741 $ cat hg2.pid >> $DAEMON_PIDS
Yuya Nishihara
tests: extract SSL certificates from test-https.t...
 r29331 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-expired.pem" \
> https://localhost:$HGPORT2/
Thomas Arendsen Hein
pull: print "pulling from foo" before accessing the other repo...
 r24138 pulling from https://localhost:$HGPORT2/
Matt Harbison
sslutil: inform the user about how to fix an incomplete certificate chain...
 r33494 (the full certificate chain may not be available locally; see "hg help debugssl") (windows !)
Augie Fackler
test-https: glob error messages more so we pass on Python 2.7.9...
 r23823 abort: error: *certificate verify failed* (glob)
Martin von Zweigbergk
errors: set detailed exit code to 100 for some remote errors...
 r46443 [100]
Mads Kiilerich
url: 'ssh known host'-like checking of fingerprints of HTTPS certificates...
 r13314
Gregory Szorc
sslutil: support defining cipher list...
 r29577 Setting ciphers to an invalid value aborts
$ P="$CERTSDIR" hg --config hostsecurity.ciphers=invalid -R copy-pull id https://localhost:$HGPORT/
abort: could not set ciphers: No cipher can be selected.
(change cipher string (invalid) in config)
[255]
$ P="$CERTSDIR" hg --config hostsecurity.localhost:ciphers=invalid -R copy-pull id https://localhost:$HGPORT/
abort: could not set ciphers: No cipher can be selected.
(change cipher string (invalid) in config)
[255]
Changing the cipher string works
$ P="$CERTSDIR" hg --config hostsecurity.ciphers=HIGH -R copy-pull id https://localhost:$HGPORT/
5fed3813f7f5
Mads Kiilerich
url: 'ssh known host'-like checking of fingerprints of HTTPS certificates...
 r13314 Fingerprints
Mads Kiilerich
spelling: fixes of non-dictionary words
 r30332 - works without cacerts (hostfingerprints)
Gregory Szorc
tests: regenerate x509 test certificates...
 r29526 $ hg -R copy-pull id https://localhost:$HGPORT/ --insecure --config hostfingerprints.localhost=ec:d8:7c:d6:b3:86:d0:4f:c1:b8:b4:1c:9d:8f:5e:16:8e:ef:1c:03
Gregory Szorc
sslutil: tweak the legacy [hostfingerprints] warning message...
 r32273 (SHA-1 fingerprint for localhost found in legacy [hostfingerprints] section; if you trust this fingerprint, remove the old SHA-1 fingerprint from [hostfingerprints] and add the following entry to the new [hostsecurity] section: localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e)
Mads Kiilerich
url: 'ssh known host'-like checking of fingerprints of HTTPS certificates...
 r13314 5fed3813f7f5
Gregory Szorc
sslutil: allow fingerprints to be specified in [hostsecurity]...
 r29267 - works without cacerts (hostsecurity)
Gregory Szorc
tests: regenerate x509 test certificates...
 r29526 $ hg -R copy-pull id https://localhost:$HGPORT/ --config hostsecurity.localhost:fingerprints=sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03
Gregory Szorc
sslutil: allow fingerprints to be specified in [hostsecurity]...
 r29267 5fed3813f7f5
Gregory Szorc
tests: regenerate x509 test certificates...
 r29526 $ hg -R copy-pull id https://localhost:$HGPORT/ --config hostsecurity.localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e
Gregory Szorc
sslutil: allow fingerprints to be specified in [hostsecurity]...
 r29267 5fed3813f7f5
Gregory Szorc
sslutil: allow multiple fingerprints per host...
 r28525 - multiple fingerprints specified and first matches
Gregory Szorc
tests: regenerate x509 test certificates...
 r29526 $ hg --config 'hostfingerprints.localhost=ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03, deadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/ --insecure
Gregory Szorc
sslutil: tweak the legacy [hostfingerprints] warning message...
 r32273 (SHA-1 fingerprint for localhost found in legacy [hostfingerprints] section; if you trust this fingerprint, remove the old SHA-1 fingerprint from [hostfingerprints] and add the following entry to the new [hostsecurity] section: localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e)
Gregory Szorc
sslutil: allow multiple fingerprints per host...
 r28525 5fed3813f7f5
Gregory Szorc
tests: regenerate x509 test certificates...
 r29526 $ hg --config 'hostsecurity.localhost:fingerprints=sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03, sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/
Gregory Szorc
sslutil: allow fingerprints to be specified in [hostsecurity]...
 r29267 5fed3813f7f5
Gregory Szorc
sslutil: allow multiple fingerprints per host...
 r28525 - multiple fingerprints specified and last matches
Gregory Szorc
tests: regenerate x509 test certificates...
 r29526 $ hg --config 'hostfingerprints.localhost=deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03' -R copy-pull id https://localhost:$HGPORT/ --insecure
Gregory Szorc
sslutil: tweak the legacy [hostfingerprints] warning message...
 r32273 (SHA-1 fingerprint for localhost found in legacy [hostfingerprints] section; if you trust this fingerprint, remove the old SHA-1 fingerprint from [hostfingerprints] and add the following entry to the new [hostsecurity] section: localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e)
Gregory Szorc
sslutil: allow multiple fingerprints per host...
 r28525 5fed3813f7f5
Gregory Szorc
tests: regenerate x509 test certificates...
 r29526 $ hg --config 'hostsecurity.localhost:fingerprints=sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03' -R copy-pull id https://localhost:$HGPORT/
Gregory Szorc
sslutil: allow fingerprints to be specified in [hostsecurity]...
 r29267 5fed3813f7f5
Gregory Szorc
sslutil: allow multiple fingerprints per host...
 r28525 - multiple fingerprints specified and none match
Gregory Szorc
tests: use --insecure instead of web.cacerts=!...
 r28847 $ hg --config 'hostfingerprints.localhost=deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, aeadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/ --insecure
Gregory Szorc
tests: regenerate x509 test certificates...
 r29526 abort: certificate for localhost has unexpected fingerprint ec:d8:7c:d6:b3:86:d0:4f:c1:b8:b4:1c:9d:8f:5e:16:8e:ef:1c:03
Gregory Szorc
sslutil: allow multiple fingerprints per host...
 r28525 (check hostfingerprint configuration)
Martin von Zweigbergk
errors: introduce SecurityError and use it in a few places...
 r46527 [150]
Gregory Szorc
sslutil: allow multiple fingerprints per host...
 r28525
Gregory Szorc
sslutil: allow fingerprints to be specified in [hostsecurity]...
 r29267 $ hg --config 'hostsecurity.localhost:fingerprints=sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, sha1:aeadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/
Gregory Szorc
tests: regenerate x509 test certificates...
 r29526 abort: certificate for localhost has unexpected fingerprint sha1:ec:d8:7c:d6:b3:86:d0:4f:c1:b8:b4:1c:9d:8f:5e:16:8e:ef:1c:03
Gregory Szorc
sslutil: reference appropriate config section in messaging...
 r29268 (check hostsecurity configuration)
Martin von Zweigbergk
errors: introduce SecurityError and use it in a few places...
 r46527 [150]
Gregory Szorc
sslutil: allow fingerprints to be specified in [hostsecurity]...
 r29267
Mads Kiilerich
url: 'ssh known host'-like checking of fingerprints of HTTPS certificates...
 r13314 - fails when cert doesn't match hostname (port is ignored)
Gregory Szorc
tests: regenerate x509 test certificates...
 r29526 $ hg -R copy-pull id https://localhost:$HGPORT1/ --config hostfingerprints.localhost=ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03
abort: certificate for localhost has unexpected fingerprint f4:2f:5a:0c:3e:52:5b:db:e7:24:a8:32:1d:18:97:6d:69:b5:87:84
Matt Mackall
sslutil: more helpful fingerprint mismatch message...
 r15997 (check hostfingerprint configuration)
Martin von Zweigbergk
errors: introduce SecurityError and use it in a few places...
 r46527 [150]
Mads Kiilerich
url: 'ssh known host'-like checking of fingerprints of HTTPS certificates...
 r13314
Augie Fackler
test-https.t: stop using kill `cat $pidfile`
 r18588
Mads Kiilerich
url: 'ssh known host'-like checking of fingerprints of HTTPS certificates...
 r13314 - ignores that certificate doesn't match hostname
Jun Wu
tests: use LOCALIP...
 r31008 $ hg -R copy-pull id https://$LOCALIP:$HGPORT/ --config hostfingerprints.$LOCALIP=ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03
Gregory Szorc
sslutil: tweak the legacy [hostfingerprints] warning message...
 r32273 (SHA-1 fingerprint for $LOCALIP found in legacy [hostfingerprints] section; if you trust this fingerprint, remove the old SHA-1 fingerprint from [hostfingerprints] and add the following entry to the new [hostsecurity] section: $LOCALIP:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e)
Mads Kiilerich
url: 'ssh known host'-like checking of fingerprints of HTTPS certificates...
 r13314 5fed3813f7f5
Mads Kiilerich
tests: test https through http proxy...
 r13423
Gregory Szorc
sslutil: config option to specify TLS protocol version...
 r29559 Ports used by next test. Kill servers.
Matt Harbison
tests: stop killing (most) https servers individually...
 r53183 $ killdaemons.py $DAEMON_PIDS
Gregory Szorc
sslutil: config option to specify TLS protocol version...
 r29559
Manuel Jacob
tests: remove "sslcontext" check...
 r45417 #if tls1.2
Gregory Szorc
sslutil: config option to specify TLS protocol version...
 r29559 Start servers running supported TLS versions
$ cd test
$ hg serve -p $HGPORT -d --pid-file=../hg0.pid --certificate=$PRIV \
pacien
configitems: make devel.serverexactprotocol look dangerous...
 r51293 > --config devel.server-insecure-exact-protocol=tls1.0
Gregory Szorc
sslutil: config option to specify TLS protocol version...
 r29559 $ cat ../hg0.pid >> $DAEMON_PIDS
$ hg serve -p $HGPORT1 -d --pid-file=../hg1.pid --certificate=$PRIV \
pacien
configitems: make devel.serverexactprotocol look dangerous...
 r51293 > --config devel.server-insecure-exact-protocol=tls1.1
Gregory Szorc
sslutil: config option to specify TLS protocol version...
 r29559 $ cat ../hg1.pid >> $DAEMON_PIDS
$ hg serve -p $HGPORT2 -d --pid-file=../hg2.pid --certificate=$PRIV \
pacien
configitems: make devel.serverexactprotocol look dangerous...
 r51293 > --config devel.server-insecure-exact-protocol=tls1.2
Gregory Szorc
sslutil: config option to specify TLS protocol version...
 r29559 $ cat ../hg2.pid >> $DAEMON_PIDS
Matt Harbison
sslutil: add support for clients to set TLSv1.3 as the minimum protocol...
 r53182 #if tls1.3
$ hg serve -p $HGPORT3 -d --pid-file=../hg3.pid --certificate=$PRIV \
> --config devel.server-insecure-exact-protocol=tls1.3
$ cat ../hg3.pid >> $DAEMON_PIDS
#endif
Gregory Szorc
sslutil: config option to specify TLS protocol version...
 r29559 $ cd ..
Clients talking same TLS versions work
pacien
sslutil: set context security level for legacy tls testing (issue6760)...
 r51294 $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.0 --config hostsecurity.ciphers="DEFAULT:@SECLEVEL=0" id https://localhost:$HGPORT/
Gregory Szorc
sslutil: config option to specify TLS protocol version...
 r29559 5fed3813f7f5
pacien
sslutil: set context security level for legacy tls testing (issue6760)...
 r51294 $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.1 --config hostsecurity.ciphers="DEFAULT:@SECLEVEL=0" id https://localhost:$HGPORT1/
Gregory Szorc
sslutil: config option to specify TLS protocol version...
 r29559 5fed3813f7f5
$ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.2 id https://localhost:$HGPORT2/
5fed3813f7f5
Matt Harbison
sslutil: add support for clients to set TLSv1.3 as the minimum protocol...
 r53182 #if tls1.3
$ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.3 id https://localhost:$HGPORT3/
5fed3813f7f5
#endif
Gregory Szorc
sslutil: config option to specify TLS protocol version...
 r29559
Clients requiring newer TLS version than what server supports fail
Gregory Szorc
sslutil: require TLS 1.1+ when supported...
 r29560 $ P="$CERTSDIR" hg id https://localhost:$HGPORT/
Matt Harbison
sslutil: bump the default minimum TLS version of the client to 1.2 (BC)...
 r53185 (could not negotiate a common security protocol (tls1.2+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support)
Gregory Szorc
sslutil: improve messaging around unsupported protocols (issue5303)...
 r29619 (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server)
(see https://mercurial-scm.org/wiki/SecureConnections for more info)
Julien Cristau
sslutil: support TLSV1_ALERT_PROTOCOL_VERSION reason code...
 r49933 abort: error: .*(unsupported protocol|wrong ssl version|alert protocol version).* (re)
Martin von Zweigbergk
errors: set detailed exit code to 100 for some remote errors...
 r46443 [100]
Gregory Szorc
sslutil: require TLS 1.1+ when supported...
 r29560
Gregory Szorc
sslutil: config option to specify TLS protocol version...
 r29559 $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.1 id https://localhost:$HGPORT/
Gregory Szorc
sslutil: improve messaging around unsupported protocols (issue5303)...
 r29619 (could not negotiate a common security protocol (tls1.1+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support)
(consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server)
(see https://mercurial-scm.org/wiki/SecureConnections for more info)
Julien Cristau
sslutil: support TLSV1_ALERT_PROTOCOL_VERSION reason code...
 r49933 abort: error: .*(unsupported protocol|wrong ssl version|alert protocol version).* (re)
Martin von Zweigbergk
errors: set detailed exit code to 100 for some remote errors...
 r46443 [100]
Gregory Szorc
sslutil: config option to specify TLS protocol version...
 r29559 $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.2 id https://localhost:$HGPORT/
Gregory Szorc
sslutil: improve messaging around unsupported protocols (issue5303)...
 r29619 (could not negotiate a common security protocol (tls1.2+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support)
(consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server)
(see https://mercurial-scm.org/wiki/SecureConnections for more info)
Julien Cristau
sslutil: support TLSV1_ALERT_PROTOCOL_VERSION reason code...
 r49933 abort: error: .*(unsupported protocol|wrong ssl version|alert protocol version).* (re)
Martin von Zweigbergk
errors: set detailed exit code to 100 for some remote errors...
 r46443 [100]
Gregory Szorc
sslutil: config option to specify TLS protocol version...
 r29559 $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.2 id https://localhost:$HGPORT1/
Gregory Szorc
sslutil: improve messaging around unsupported protocols (issue5303)...
 r29619 (could not negotiate a common security protocol (tls1.2+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support)
(consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server)
(see https://mercurial-scm.org/wiki/SecureConnections for more info)
Julien Cristau
sslutil: support TLSV1_ALERT_PROTOCOL_VERSION reason code...
 r49933 abort: error: .*(unsupported protocol|wrong ssl version|alert protocol version).* (re)
Martin von Zweigbergk
errors: set detailed exit code to 100 for some remote errors...
 r46443 [100]
Gregory Szorc
sslutil: config option to specify TLS protocol version...
 r29559
Matt Harbison
sslutil: add support for clients to set TLSv1.3 as the minimum protocol...
 r53182 #if tls1.3
$ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.3 id https://localhost:$HGPORT/
(could not negotiate a common security protocol (tls1.3+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support)
(consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server)
(see https://mercurial-scm.org/wiki/SecureConnections for more info)
abort: error: .*(unsupported protocol|wrong ssl version|alert protocol version).* (re)
[100]
$ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.3 id https://localhost:$HGPORT1/
(could not negotiate a common security protocol (tls1.3+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support)
(consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server)
(see https://mercurial-scm.org/wiki/SecureConnections for more info)
abort: error: .*(unsupported protocol|wrong ssl version|alert protocol version).* (re)
[100]
$ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.3 id https://localhost:$HGPORT2/
(could not negotiate a common security protocol (tls1.3+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support)
(consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server)
(see https://mercurial-scm.org/wiki/SecureConnections for more info)
abort: error: .*(unsupported protocol|wrong ssl version|alert protocol version).* (re)
[100]
#endif
Gregory Szorc
sslutil: allow TLS 1.0 when --insecure is used...
 r29617 --insecure will allow TLS 1.0 connections and override configs
$ hg --config hostsecurity.minimumprotocol=tls1.2 id --insecure https://localhost:$HGPORT1/
warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
5fed3813f7f5
Matt Harbison
sslutil: add support for clients to set TLSv1.3 as the minimum protocol...
 r53182 #if tls1.3
$ hg --config hostsecurity.minimumprotocol=tls1.3 id --insecure https://localhost:$HGPORT2/
warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
5fed3813f7f5
#endif
Gregory Szorc
sslutil: config option to specify TLS protocol version...
 r29559 The per-host config option overrides the default
$ P="$CERTSDIR" hg id https://localhost:$HGPORT/ \
pacien
sslutil: set context security level for legacy tls testing (issue6760)...
 r51294 > --config hostsecurity.ciphers="DEFAULT:@SECLEVEL=0" \
Gregory Szorc
sslutil: config option to specify TLS protocol version...
 r29559 > --config hostsecurity.minimumprotocol=tls1.2 \
> --config hostsecurity.localhost:minimumprotocol=tls1.0
5fed3813f7f5
The per-host config option by itself works
$ P="$CERTSDIR" hg id https://localhost:$HGPORT/ \
> --config hostsecurity.localhost:minimumprotocol=tls1.2
Gregory Szorc
sslutil: improve messaging around unsupported protocols (issue5303)...
 r29619 (could not negotiate a common security protocol (tls1.2+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support)
(consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server)
(see https://mercurial-scm.org/wiki/SecureConnections for more info)
Julien Cristau
sslutil: support TLSV1_ALERT_PROTOCOL_VERSION reason code...
 r49933 abort: error: .*(unsupported protocol|wrong ssl version|alert protocol version).* (re)
Martin von Zweigbergk
errors: set detailed exit code to 100 for some remote errors...
 r46443 [100]
Gregory Szorc
sslutil: config option to specify TLS protocol version...
 r29559
Gregory Szorc
hg: copy [hostsecurity] options to remote ui instances (issue5305)...
 r29616 .hg/hgrc file [hostsecurity] settings are applied to remote ui instances (issue5305)
$ cat >> copy-pull/.hg/hgrc << EOF
> [hostsecurity]
> localhost:minimumprotocol=tls1.2
> EOF
$ P="$CERTSDIR" hg -R copy-pull id https://localhost:$HGPORT/
Gregory Szorc
sslutil: improve messaging around unsupported protocols (issue5303)...
 r29619 (could not negotiate a common security protocol (tls1.2+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support)
(consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server)
(see https://mercurial-scm.org/wiki/SecureConnections for more info)
Julien Cristau
sslutil: support TLSV1_ALERT_PROTOCOL_VERSION reason code...
 r49933 abort: error: .*(unsupported protocol|wrong ssl version|alert protocol version).* (re)
Martin von Zweigbergk
errors: set detailed exit code to 100 for some remote errors...
 r46443 [100]
Gregory Szorc
hg: copy [hostsecurity] options to remote ui instances (issue5305)...
 r29616
Matt Harbison
tests: stop killing (most) https servers individually...
 r53183 $ killdaemons.py $DAEMON_PIDS
Gregory Szorc
sslutil: config option to specify TLS protocol version...
 r29559 #endif
Matt Mackall
tests: fix startup/shutdown races in test-https...
 r16300
Mads Kiilerich
tests: test https through http proxy...
 r13423 Prepare for connecting through proxy
Gregory Szorc
sslutil: config option to specify TLS protocol version...
 r29559 $ hg serve -R test -p $HGPORT -d --pid-file=hg0.pid --certificate=$PRIV
$ cat hg0.pid >> $DAEMON_PIDS
$ hg serve -R test -p $HGPORT2 -d --pid-file=hg2.pid --certificate=server-expired.pem
$ cat hg2.pid >> $DAEMON_PIDS
tinyproxy.py doesn't fully detach, so killing it may result in extra output
from the shell. So don't kill it.
Matt Mackall
tests: drop explicit $TESTDIR from executables...
 r25472 $ tinyproxy.py $HGPORT1 localhost >proxy.log </dev/null 2>&1 &
Mads Kiilerich
tests: use 'do sleep 0' instead of 'do true', also on first line of command...
 r16496 $ while [ ! -f proxy.pid ]; do sleep 0; done
Mads Kiilerich
tests: test https through http proxy...
 r13423 $ cat proxy.pid >> $DAEMON_PIDS
$ echo "[http_proxy]" >> copy-pull/.hg/hgrc
$ echo "always=True" >> copy-pull/.hg/hgrc
$ echo "[hostfingerprints]" >> copy-pull/.hg/hgrc
$ echo "localhost =" >> copy-pull/.hg/hgrc
Test unvalidated https through proxy
Augie Fackler
test-https: drop two spurious --traceback flags...
 r29842 $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull --insecure
Thomas Arendsen Hein
pull: print "pulling from foo" before accessing the other repo...
 r24138 pulling from https://localhost:$HGPORT/
Gregory Szorc
sslutil: move and change warning when cert verification is disabled...
 r29289 warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
Mads Kiilerich
tests: test https through http proxy...
 r13423 searching for changes
no changes found
Test https with cacert and fingerprint through proxy
Yuya Nishihara
tests: extract SSL certificates from test-https.t...
 r29331 $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull \
> --config web.cacerts="$CERTSDIR/pub.pem"
Mads Kiilerich
tests: test https through http proxy...
 r13423 pulling from https://localhost:$HGPORT/
searching for changes
no changes found
Jun Wu
tests: use LOCALIP...
 r31008 $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull https://localhost:$HGPORT/ --config hostfingerprints.localhost=ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03 --trace
pulling from https://*:$HGPORT/ (glob)
Gregory Szorc
sslutil: tweak the legacy [hostfingerprints] warning message...
 r32273 (SHA-1 fingerprint for localhost found in legacy [hostfingerprints] section; if you trust this fingerprint, remove the old SHA-1 fingerprint from [hostfingerprints] and add the following entry to the new [hostsecurity] section: localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e)
Mads Kiilerich
tests: test https through http proxy...
 r13423 searching for changes
no changes found
Test https with cert problems through proxy
Yuya Nishihara
tests: extract SSL certificates from test-https.t...
 r29331 $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull \
> --config web.cacerts="$CERTSDIR/pub-other.pem"
Thomas Arendsen Hein
pull: print "pulling from foo" before accessing the other repo...
 r24138 pulling from https://localhost:$HGPORT/
Matt Harbison
sslutil: inform the user about how to fix an incomplete certificate chain...
 r33494 (the full certificate chain may not be available locally; see "hg help debugssl") (windows !)
Augie Fackler
test-https: glob error messages more so we pass on Python 2.7.9...
 r23823 abort: error: *certificate verify failed* (glob)
Martin von Zweigbergk
errors: set detailed exit code to 100 for some remote errors...
 r46443 [100]
Yuya Nishihara
tests: extract SSL certificates from test-https.t...
 r29331 $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull \
> --config web.cacerts="$CERTSDIR/pub-expired.pem" https://localhost:$HGPORT2/
Thomas Arendsen Hein
pull: print "pulling from foo" before accessing the other repo...
 r24138 pulling from https://localhost:$HGPORT2/
Matt Harbison
sslutil: inform the user about how to fix an incomplete certificate chain...
 r33494 (the full certificate chain may not be available locally; see "hg help debugssl") (windows !)
Augie Fackler
test-https: glob error messages more so we pass on Python 2.7.9...
 r23823 abort: error: *certificate verify failed* (glob)
Martin von Zweigbergk
errors: set detailed exit code to 100 for some remote errors...
 r46443 [100]
Yuya Nishihara
test-https: test basic functions of client certificate authentication...
 r25413
Manuel Jacob
url: raise error if CONNECT request to proxy was unsuccessful...
 r50172 Test when proxy can't connect to server
$ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull --insecure https://localhost:0/
pulling from https://localhost:0/
Matt Harbison
tests: use pattern matching to mask `ECONNREFUSED` messages...
 r52835 abort: error: Tunnel connection failed: 404 (\$ECONNREFUSED\$|\$EADDRNOTAVAIL\$) (re)
Manuel Jacob
url: raise error if CONNECT request to proxy was unsuccessful...
 r50172 [100]
Yuya Nishihara
test-https: test basic functions of client certificate authentication...
 r25413
Matt Mackall
tests: drop explicit $TESTDIR from executables...
 r25472 $ killdaemons.py hg0.pid
Yuya Nishihara
test-https: test basic functions of client certificate authentication...
 r25413
Gregory Szorc
sslutil: check for missing certificate and key files (issue5598)...
 r33381 $ cd test
Missing certificate file(s) are detected
$ hg serve -p $HGPORT --certificate=/missing/certificate \
> --config devel.servercafile=$PRIV --config devel.serverrequirecert=true
Matt Harbison
test-https: properly conditionalize Windows vs non-Windows output...
 r33576 abort: referenced certificate file (*/missing/certificate) does not exist (glob)
Gregory Szorc
sslutil: check for missing certificate and key files (issue5598)...
 r33381 [255]
$ hg serve -p $HGPORT --certificate=$PRIV \
> --config devel.servercafile=/missing/cafile --config devel.serverrequirecert=true
Matt Harbison
test-https: properly conditionalize Windows vs non-Windows output...
 r33576 abort: referenced certificate file (*/missing/cafile) does not exist (glob)
Gregory Szorc
sslutil: check for missing certificate and key files (issue5598)...
 r33381 [255]
Gregory Szorc
hgweb: use sslutil.wrapserversocket()...
 r29555 Start hgweb that requires client certificates:
Yuya Nishihara
test-https: test basic functions of client certificate authentication...
 r25413
$ hg serve -p $HGPORT -d --pid-file=../hg0.pid --certificate=$PRIV \
Gregory Szorc
hgweb: use sslutil.wrapserversocket()...
 r29555 > --config devel.servercafile=$PRIV --config devel.serverrequirecert=true
Yuya Nishihara
test-https: test basic functions of client certificate authentication...
 r25413 $ cat ../hg0.pid >> $DAEMON_PIDS
$ cd ..
without client certificate:
Yuya Nishihara
tests: extract SSL certificates from test-https.t...
 r29331 $ P="$CERTSDIR" hg id https://localhost:$HGPORT/
Julien Cristau
test: accept another error message on lack of TLS client certificate...
 r49934 abort: error: .*(\$ECONNRESET\$|certificate required|handshake failure|EOF occurred).* (re)
Martin von Zweigbergk
errors: set detailed exit code to 100 for some remote errors...
 r46443 [100]
Yuya Nishihara
test-https: test basic functions of client certificate authentication...
 r25413
with client certificate:
$ cat << EOT >> $HGRCPATH
> [auth]
> l.prefix = localhost
Yuya Nishihara
tests: extract SSL certificates from test-https.t...
 r29331 > l.cert = $CERTSDIR/client-cert.pem
> l.key = $CERTSDIR/client-key.pem
Yuya Nishihara
test-https: test basic functions of client certificate authentication...
 r25413 > EOT
Yuya Nishihara
tests: extract SSL certificates from test-https.t...
 r29331 $ P="$CERTSDIR" hg id https://localhost:$HGPORT/ \
> --config auth.l.key="$CERTSDIR/client-key-decrypted.pem"
Yuya Nishihara
test-https: test basic functions of client certificate authentication...
 r25413 5fed3813f7f5
Yuya Nishihara
tests: extract SSL certificates from test-https.t...
 r29331 $ printf '1234\n' | env P="$CERTSDIR" hg id https://localhost:$HGPORT/ \
Yuya Nishihara
ssl: prompt passphrase of client key file via ui.getpass() (issue4648)...
 r25415 > --config ui.interactive=True --config ui.nontty=True
Yuya Nishihara
tests: extract SSL certificates from test-https.t...
 r29331 passphrase for */client-key.pem: 5fed3813f7f5 (glob)
Yuya Nishihara
ssl: prompt passphrase of client key file via ui.getpass() (issue4648)...
 r25415
Yuya Nishihara
tests: extract SSL certificates from test-https.t...
 r29331 $ env P="$CERTSDIR" hg id https://localhost:$HGPORT/
Yuya Nishihara
ssl: prompt passphrase of client key file via ui.getpass() (issue4648)...
 r25415 abort: error: * (glob)
Martin von Zweigbergk
errors: set detailed exit code to 100 for some remote errors...
 r46443 [100]
Yuya Nishihara
ssl: prompt passphrase of client key file via ui.getpass() (issue4648)...
 r25415
Gregory Szorc
sslutil: check for missing certificate and key files (issue5598)...
 r33381 Missing certficate and key files result in error
$ hg id https://localhost:$HGPORT/ --config auth.l.cert=/missing/cert
Matt Harbison
test-https: properly conditionalize Windows vs non-Windows output...
 r33576 abort: certificate file (*/missing/cert) does not exist; cannot connect to localhost (glob)
Gregory Szorc
sslutil: check for missing certificate and key files (issue5598)...
 r33381 (restore missing file or fix references in Mercurial config)
[255]
$ hg id https://localhost:$HGPORT/ --config auth.l.key=/missing/key
Matt Harbison
test-https: properly conditionalize Windows vs non-Windows output...
 r33576 abort: certificate file (*/missing/key) does not exist; cannot connect to localhost (glob)
Gregory Szorc
sslutil: check for missing certificate and key files (issue5598)...
 r33381 (restore missing file or fix references in Mercurial config)
[255]